JWT - B2B

Token Stucture

The B2B-PROXY could insert a JWT in the request header of each authenticated request. Regarding RFC7519 the JWT has the following spec:

The Header:

Field	Provided	Description
kid	ALWAYS	key to identifiy the signing certificate like described in rfc7517
alg	ALWAYS	signature algorithmen – only "RS256" and "HS256" are supported, "RS256" is the prefered one, "NONE" must cause an auth error
typ	ALWAYS	the token type – always "JWT"

The Payload:

According to the the field definitions of Google OpenID Userinfo the payload supports some of the registered claim names.

Field	Provided	Description
iss	ALWAYS	the issuer of this token
iat	ALWAYS	issued at <DATETIME> represented in Unix time (integer seconds)
exp	ALWAYS	expires at <DATETIME> represented in Unix time (integer seconds)
sub	ALWAYS	subject of the token – unique identifier in B2B of the person known as VCDgid
aud	ALWAYS	audience that this ID token is intended for – the basedir or context root the token was created for – the URI up to the first slash

There are also some extensions by B2B

Field	Provided	Description
iss-loc	OPTIONAL	the Issuer Location ‐ in B2B the network zone where the issuing Proxy is placed
uid	OPTIONAL	the UserId – in B2B this is the ProfileID similar to the uid found in the LDAP – always uppercase – optional, could be missing if the proxy could not detect the profileid, e.g. profileselect has to be called. For applications not be part of the authentication process this attribute should always be filled.
atl	ALWAYS	the authlevel, integer 10 – user + password authentication, e.g. basic authentication sufficient for accessing internal data 100 – strong authentication sufficient for accessing confidential data 200 – strong authentication sufficient for accessing secret data
aal	OPTIONAL	Authenticator Assurance Level, interger (0 — 3). This claim denotes the authentication contexts that the user authentication has satisfied regarding the NIST Authentication Mechanism Levels 0 – no authentication 1 – user / password 2 – user / password + TOTP or RSA-Token 3 – PKI-Card

Rotate Sign Keys:

OpenID Connect SignKey Rotation is supported. The jwts_uri is avaliable on any B2B-PROXY. The certificate used for validating the JWT could be downloaded from here. The certificate ist encapsulated in a JSON Object like described in rfc7517. During a period before and after activating a new signing certificate the JSON Object will contain both certificates, the old and the new one.

Name	Style	Server relativ URI
jwts_uri	rfc7517 JSON	/config/public/b2brpx/protocol/openid-connect/certs/
simple certs	human readable	/config/public/b2brpx/protocol/jwtsign/certs/

Example: jwts_uri on this proxy: /config/public/b2brpx/protocol/openid-connect/certs

Example:

The Request https://lso-ti.wob.vw.vwg/check/snoop.jsp extened by the additional Request-Header authn-jwt.

Header:
{
  "kid" : "B2BTIAxV6",
  "alg" : "RS256",
  "typ" : "JWT"
}

Payload:
{
  "iss" : "B2B-PROXY",
  "iss-loc" : "VW-INTRA",
  "iat" : 1619096941,
  "exp" : 1619097900,
  "sub" : "151142F0D9CCDE8D",
  "uid" : "DL10HRS",
  "aal" : "3",
  "atl" : 200,
  "aud" : "/check/"
}